UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The 802.1x authentication server must place VVoIP and VTC traffic in the correct VLAN when authorizing LAN access for VVoIP and VTC endpoints.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19654 VVoIP 5310 SV-21795r2_rule Medium
Description
802.1x has the capability of configuring the network access switch port to assign a VLAN or apply filtering rules based upon the device that was just authenticated. This is done via the “success” message sent from the authentication server back to the authenticator. General VVoIP and VTC requirements dictate that traffic from these devices are to be separated from the general LAN traffic and workstations by VLAN and IP address separation or segregation. An implementation of 802.1x within the LAN must support this requirement. As such the authentication server must provide the LAN switch with the proper VLAN configuration depending upon the device that is authenticated. For example, if all LAN ports are configured to use 802.1x LAN access control, and (as the typical case would be) are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or a VVoIP endpoint, or a VTC endpoint. If a workstation authenticates, the switch port must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switch port must be configured with the VVoIP VLAN. VTC endpoints must be similarly configured. If a VVoIP endpoint that contains a PC port authenticates, the switch port must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port. Alternately, the switch port must be preconfigured for whatever device is expected to connect while in standby and implement the configuration when activated. This latter, however, is not how this is typically configured.
STIG Date
Voice/Video over Internet Protocol (VVoIP) STIG 2017-01-04

Details

Check Text ( C-24006r2_chk )
Review site documentation to confirm the 802.1x authentication server places VVoIP and VTC traffic in the correct VLAN when authorizing LAN access for VVoIP and VTC endpoints. When the network access control implementation uses 802.1x and the network access switch ports are configured as 802.1x authenticators, ensure the VVoIP and VTC endpoints integrate into the 802.1x access control system. If the 802.1x authentication server does not place data, VVoIP, and VTC traffic in the correct VLANs when authorizing LAN access for VVoIP and VTC endpoints, this is a finding.

An example follows:
If all LAN ports are configured to use 802.1x LAN access control (as the typical case would be), and are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or a VVoIP endpoint, or a VTC endpoint. If a work station authenticates, the switch port must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switch port must be configured with the VVoIP VLAN. If a VTC endpoint authenticates, the switch port must be configured with the VTC VLAN. When a VVoIP endpoint that contains a PC port authenticates, the switch port must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port.

When a VVoIP or VTC endpoint provides a PC port, and the PC port is disabled (as required) because the 802.1x implementation cannot control LAN access via the PC port once the endpoint is authorized, the required configuration for the network access switch ports is to configure the appropriate VLAN for the VVoIP or VTC traffic (as required) as well as configuring the “unused” VLAN for the disabled PC port (as required).
Fix Text (F-20358r2_fix)
Implement and document the 802.1x authentication server places data, VVoIP, and VTC traffic in the correct VLANs when authorizing LAN access for VVoIP and VTC endpoints.